Bug 1966253 (CVE-2021-33571) - CVE-2021-33571 django: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses
Summary: CVE-2021-33571 django: Possible indeterminate SSRF, RFI, and LFI attacks sinc...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-33571
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1967159 1967425 1967426 1967427 1967428 1972123 1973739 1973741 1967157 1967158 1967160 1968063 1968066 1968087 1968297 1968298 1968299 1973740
Blocks: 1966255
TreeView+ depends on / blocked
 
Reported: 2021-05-31 18:09 UTC by Pedro Sampaio
Modified: 2021-12-14 18:47 UTC (History)
59 users (show)

Fixed In Version: Django 3.2.4, Django 3.1.12, Django 2.2.24
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in django. Leading zeros in octal literals aren't prohibited in IP addresses. If you used such values you could suffer from indeterminate SSRF, RFI, and LFI attacks. The highest threat from this vulnerability is to data integrity.
Clone Of:
Environment:
Last Closed: 2021-09-15 18:21:17 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3490 0 None None None 2021-09-15 06:38:27 UTC
Red Hat Product Errata RHSA-2021:4702 0 None None None 2021-11-16 14:08:21 UTC
Red Hat Product Errata RHSA-2021:5070 0 None None None 2021-12-09 20:16:42 UTC

Description Pedro Sampaio 2021-05-31 18:09:13 UTC
:class:`~django.core.validators.URLValidator`,
:func:`~django.core.validators.validate_ipv4_address`, and
:func:`~django.core.validators.validate_ipv46_address` didn't prohibit leading
zeros in octal literals. If you used such values you could suffer from
indeterminate SSRF, RFI, and LFI attacks.

:func:`~django.core.validators.validate_ipv4_address` and
:func:`~django.core.validators.validate_ipv46_address` validators were not
affected on Python 3.9.5+.

Comment 2 Summer Long 2021-06-03 06:57:10 UTC
Created django:1.6/python-django tracking bugs for this issue:

Affects: fedora-all [bug 1967425]


Created python-django tracking bugs for this issue:

Affects: epel-all [bug 1967426]
Affects: fedora-all [bug 1967428]
Affects: openstack-rdo [bug 1967427]

Comment 7 Yadnyawalk Tale 2021-06-05 00:04:28 UTC
This Django issue also has something to do with CVE-2021-29921 of Python. Here is the original discussion and report: https://bugs.python.org/issue36384

In short, Python was rejecting IPv4 with leading zeroes as ambiguously octal which got fixed in Python 3.8 but it created a regression. Further, they've fixed it in Python 3.9.5 finally. Thus validate_ipv4_address() was affected only on Python < 3.9.5.

* This was the fix which got reverted in 3.8:
https://github.com/python/cpython/commit/e653d4d8e820a7a004ad399530af0135b45db27a
* This patch is the final fix for vulnerability in Python:
https://github.com/python/cpython/pull/25099

Django also affected by the similar leading zeros in octal literals thing and this flaw is about that. 

// 1.11.x

For 1.11.x streams, code uses following URLValidator expression:
~~~
Django-1.11.13/django/core/validators.py:83:    ipv4_re = r'(?:25[0-5]|2[0-4]\d|[0-1]?\d?\d)(?:\.(?:25[0-5]|2[0-4]\d|[0-1]?\d?\d)){3}'
Django-1.11.29/django/core/validators.py:83:    ipv4_re = r'(?:25[0-5]|2[0-4]\d|[0-1]?\d?\d)(?:\.(?:25[0-5]|2[0-4]\d|[0-1]?\d?\d)){3}'
~~~

This are the exact expressions which are causing improper input validation of octal strings thus Django 1.11.x looks affected as well. However, this stream has ended its extended support on April 1, 2020 and we do not have its official fix from Django team: https://www.djangoproject.com/download/#supported-versions

Ideal fix for Django 2.2.x looks like this:
https://github.com/django/django/commit/f27c38ab5d90f68c9dd60cabef248a570c0be8fc

More information about patch can be found here:
https://www.djangoproject.com/weblog/2021/jun/02/security-releases/

Comment 10 Tapas Jena 2021-06-18 15:34:30 UTC
Analysis is complete for Ansible. As a result, it was found that, AAP 1.2 is using the affected version of DJango along with the vulnerable functionality i.e. URLValidator() function/method. Ansible Components like Ansible Tower, AWX, Galaxy_NG and Pulp Core are found to be using URLValidator() function/method . 

However, the other affected functionalities which are validate_ipv4_address() Or validate_ipv46_address() are not in use by any components of Ansible.Again, these specific functions are vulnerable in Python version < 3.9.5+ and the current Python version being used by Ansible Components is 3.6.8.

Hence, marking Ansible as "affected" by this vulnerability with "medium" severity.

Comment 12 Tapas Jena 2021-06-18 15:36:53 UTC
Tracker for Tower 3.6 has been skipped as its already EOL.

Comment 18 errata-xmlrpc 2021-09-15 06:38:25 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2021:3490 https://access.redhat.com/errata/RHSA-2021:3490

Comment 19 Product Security DevOps Team 2021-09-15 18:21:17 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-33571

Comment 20 errata-xmlrpc 2021-11-16 14:08:18 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.10 for RHEL 7

Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702

Comment 21 errata-xmlrpc 2021-12-09 20:16:39 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2021:5070 https://access.redhat.com/errata/RHSA-2021:5070


Note You need to log in before you can comment on or make changes to this bug.